Charles River Analytics was awarded a contract for up to $4.2 million from the Defense Advanced Research Projects Agency (DARPA) to create compartmentalization architecture to enhance cybersecurity. This effort supports DARPA’s Compartmentalization and Privilege Management (CPM) program focusing on a new approach to cyber resilience.
Traditional cybersecurity focuses on perimeter defenses designed to stop external threats from entering an organization’s network. The CPM program aims to protect systems from cyberattacks even after an attacker has gained initial access. This new approach assumes the attacker is already in the system and limits their damage by compartmentalizing the system and enforcing access controls, regardless of how they initially access the system.
To this end, Charles River Analytics is developing a Compartmentalization Architecture using Commodity Hardware for Enforcement (CACHE), which takes existing software systems and decomposes them into smaller pieces that can be more easily protected from attacks.
“CACHE provides a new way of looking at cybersecurity and protecting systems from the inside out that is very fine-grained and flexible,” said Gerald Fry, Senior Scientist at Charles River and Principal Investigator on the CACHE effort. “I think it’s going to make big changes in the cybersecurity landscape and also make it more difficult for the hacker community to be successful in their campaigns, whether that’s an individual hacker, sophisticated nation-state hackers, or advanced persistent threats.”
CACHE changes the mindset from just protecting the boundary to mitigating threats inside a system. It’s like protecting valuable items inside a home—in addition to door alarms and external locks, you can also add locks on internal doors and keep sensitive items in a combination safe. The mindset assumes an attacker has already breached the outer perimeter.
“Compartmentalization is a groundbreaking way to think about security—it shifts your mindset from reactive perimeter defense to proactive containment. Instead of just preventing breaches, defenders assume attackers may get in and focus on limiting damage through isolation and least privilege,” said Dr. Joel Hypolite, Research Scientist at Charles River Analytics and CACHE’s Technical Lead.
The team is collaborating with experts at Boston University to develop an approach that repurposes existing hardware architectures. “We have a lot of knowledge of the underlying hardware in these existing systems,” Fry adds. “If you look close enough, there are pieces already there to be used in creative ways that don’t require new hardware.”
To provide separation and enforcement of security policies within individual compartments, CACHE implements a “root of trust” component, a trusted starting point verifying that a system is secure, that configures the hardware to enforce the access control policies. In addition, the team is automating tedious tasks so that human intervention is only needed when the system detects a potential access violation.
The key expected benefits for DARPA include demonstrating a novel, effective, and broadly applicable cybersecurity approach that can be implemented using existing hardware. Improving cybersecurity also has direct safety implications because it will help protect physical systems that are connected to the Internet, such as autonomous vehicles.
Contact us to learn more about CACHE and our capabilities in cybersecurity.
This material is based upon work supported by the Air Force Research Laboratory (AFRL) and DARPA under Contract No. FA8750-24-C-B022. Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the AFRL or DARPA.
